wok-current diff xorg-server/stuff/CVE-2023-5380.patch @ rev 25634
Mass update, new toolchain gcc 8.3.0, glibc 2.28.0
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Sun Jan 14 08:12:37 2024 +0000 (20 months ago) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/xorg-server/stuff/CVE-2023-5380.patch Sun Jan 14 08:12:37 2024 +0000 1.3 @@ -0,0 +1,99 @@ 1.4 +From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 1.5 +From: Peter Hutterer <peter.hutterer@who-t.net> 1.6 +Date: Thu, 5 Oct 2023 12:19:45 +1000 1.7 +Subject: [PATCH] mi: reset the PointerWindows reference on screen switch 1.8 + 1.9 +PointerWindows[] keeps a reference to the last window our sprite 1.10 +entered - changes are usually handled by CheckMotion(). 1.11 + 1.12 +If we switch between screens via XWarpPointer our 1.13 +dev->spriteInfo->sprite->win is set to the new screen's root window. 1.14 +If there's another window at the cursor location CheckMotion() will 1.15 +trigger the right enter/leave events later. If there is not, it skips 1.16 +that process and we never trigger LeaveWindow() - PointerWindows[] for 1.17 +the device still refers to the previous window. 1.18 + 1.19 +If that window is destroyed we have a dangling reference that will 1.20 +eventually cause a use-after-free bug when checking the window hierarchy 1.21 +later. 1.22 + 1.23 +To trigger this, we require: 1.24 +- two protocol screens 1.25 +- XWarpPointer to the other screen's root window 1.26 +- XDestroyWindow before entering any other window 1.27 + 1.28 +This is a niche bug so we hack around it by making sure we reset the 1.29 +PointerWindows[] entry so we cannot have a dangling pointer. This 1.30 +doesn't handle Enter/Leave events correctly but the previous code didn't 1.31 +either. 1.32 + 1.33 +CVE-2023-5380, ZDI-CAN-21608 1.34 + 1.35 +This vulnerability was discovered by: 1.36 +Sri working with Trend Micro Zero Day Initiative 1.37 + 1.38 +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> 1.39 +Reviewed-by: Adam Jackson <ajax@redhat.com> 1.40 +--- 1.41 + dix/enterleave.h | 2 -- 1.42 + include/eventstr.h | 3 +++ 1.43 + mi/mipointer.c | 17 +++++++++++++++-- 1.44 + 3 files changed, 18 insertions(+), 4 deletions(-) 1.45 + 1.46 +diff --git a/dix/enterleave.h b/dix/enterleave.h 1.47 +index 4b833d8a3b..e8af924c68 100644 1.48 +--- a/dix/enterleave.h 1.49 ++++ b/dix/enterleave.h 1.50 +@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, 1.51 + 1.52 + extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); 1.53 + 1.54 +-extern void LeaveWindow(DeviceIntPtr dev); 1.55 +- 1.56 + extern void CoreFocusEvent(DeviceIntPtr kbd, 1.57 + int type, int mode, int detail, WindowPtr pWin); 1.58 + 1.59 +diff --git a/include/eventstr.h b/include/eventstr.h 1.60 +index 93308f9b24..a9926eaeef 100644 1.61 +--- a/include/eventstr.h 1.62 ++++ b/include/eventstr.h 1.63 +@@ -335,4 +335,7 @@ union _InternalEvent { 1.64 + GestureEvent gesture_event; 1.65 + }; 1.66 + 1.67 ++extern void 1.68 ++LeaveWindow(DeviceIntPtr dev); 1.69 ++ 1.70 + #endif 1.71 +diff --git a/mi/mipointer.c b/mi/mipointer.c 1.72 +index a638f25d4a..8cf0035140 100644 1.73 +--- a/mi/mipointer.c 1.74 ++++ b/mi/mipointer.c 1.75 +@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) 1.76 + #ifdef PANORAMIX 1.77 + && noPanoramiXExtension 1.78 + #endif 1.79 +- ) 1.80 +- UpdateSpriteForScreen(pDev, pScreen); 1.81 ++ ) { 1.82 ++ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); 1.83 ++ /* Hack for CVE-2023-5380: if we're moving 1.84 ++ * screens PointerWindows[] keeps referring to the 1.85 ++ * old window. If that gets destroyed we have a UAF 1.86 ++ * bug later. Only happens when jumping from a window 1.87 ++ * to the root window on the other screen. 1.88 ++ * Enter/Leave events are incorrect for that case but 1.89 ++ * too niche to fix. 1.90 ++ */ 1.91 ++ LeaveWindow(pDev); 1.92 ++ if (master) 1.93 ++ LeaveWindow(master); 1.94 ++ UpdateSpriteForScreen(pDev, pScreen); 1.95 ++ } 1.96 + } 1.97 + 1.98 + /** 1.99 +-- 1.100 +GitLab 1.101 + 1.102 +B